A 2019 Buck HIPAA Readiness Survey verifies that health plan sponsors still struggle with HIPAA compliancy.
Buck researchers were interested in addressing the industry’s adherence to HIPAA in conjunction with an overall increase in enforcement and investigation by the U.S. Department of Health and Human Services (HHS).
The results were alarming.
Conducted in April/May 2019, the findings—particularly regarding risk assessment, business associates, employee training, and breach notification—demonstrate not only a lack of compliancy but a lack of understanding as well.
One-third of survey respondents were unsure when their organization last performed a risk/threat assessment; an additional 10% (42% total) thought the last assessment was more than five years old.
Astonishingly, only 39% updated their security policies and procedures within the last year; employee training followed the same trend.
35% of respondents last offered training one to five years ago while 13% stated their organization only provides training when an employee first starts; 10% weren’t even sure when it was last provided.
Similarly, 33% either have not inventoried their business associates (BAs) or were uncertain if an inventory was ever done.
16% were even unsure if they had current business associate agreements (BAA) written up while 3% knew that no current agreement existed.
Finally, while about three-quarters of the respondents surprisingly had breach notification policies in place, 10% unfortunately had no such policy; 16% were unsure.
What can we learn
The results should be a warning to the health industry as the numbers demonstrate that only about half of the respondents are HIPAA compliant in some shape or form.
It is essential for all health organizations to learn, understand, and implement HIPAA regulations, not only for patient privacy but to safeguard themselves.
Organizations must build policies and procedures to address each aspect of HIPAA; then they must efficiently communicate, follow, and monitor them.
Updates must occur after regulation changes, organizational developments (whether technological, environmental, or business-related), and violations or breaches.
Finally, organizations must perform (and test continuously) risk/threat analyses and employee training.
Having a strong security program and implementing technology like Paubox’s HITRUST CSF certified solutions provide the protection needed within an industry with such sensitive data.